Tools

"... Abstract. In this paper we prove that the sponge construction intro-duced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for ..."

Abstract. In this paper we prove that the sponge construction intro-duced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for a construction calling a random permutation (in-stead of an ideal compression function or ideal block cipher) and for a construction generating outputs of any length (instead of a fixed length). 1

...ere, the security parameter is the capacity c and not the output length of the hash function. Note that other constructions also consider the size of the internal state as a security parameter, e.g., =-=[13]-=-. One may ask the question: what does this say about resistance to classical attacks such as collision-resistance, including multicollisions [9], (2nd) preimage resistance, including long-message atta...

"... Abstract. We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."

Abstract. We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression function using three n-bit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3n-bit to 2n-bit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipher-based hashing, collision-resistant hashing, compression functions, cryptographic hash functions, ideal-cipher model. 1

"... Abstract. Since the seminal works of Merkle and Damg˚ard on the iteration of compression functions, hash functions were built from compression functions using the Merkle-Damg˚ard construction. Recently, several flaws in this construction were identified, allowing for second pre-image attacks and cho ..."

Abstract. Since the seminal works of Merkle and Damg˚ard on the iteration of compression functions, hash functions were built from compression functions using the Merkle-Damg˚ard construction. Recently, several flaws in this construction were identified, allowing for second pre-image attacks and chosen target pre-image attacks on such hash functions even when the underlying compression functions are secure. In this paper we propose the HAsh Iterative FrAmework (HAIFA). Our framework can fix many of the flaws while supporting several additional properties such as defining families of hash functions and supporting variable hash size. HAIFA allows for an online computation of the hash function in one pass with a fixed amount of memory independently of the size of the message. Besides our proposal, the recent attacks initiated research on the way compression functions are to be iterated. We show that most recent proposals such as randomized hashing, the enveloped Merkle-Damg˚ard, and the RMC and ROX modes can be all be instantiated as part of the HAsh

...It is possible to treat the two parameters salt and #bits as additional fields in the chaining value and removing them in the last block. The approach of increasing the chaining value was promoted in =-=[11]-=- and it may seem that our suggestion follows this approach. However, the analysis in [11] assumes that the hash function is a “good” hash function for all the bits of the chaining value, while our app...

"... Abstract. We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. We show that any 2n-bit to n-bit compression function will have unacceptable collision resistance it makes fewer than ..."

Abstract. We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. We show that any 2n-bit to n-bit compression function will have unacceptable collision resistance it makes fewer than three n-bit permutation invocations, and any 3n-bit to 2n-bit compression function will have unacceptable security if it makes fewer than five n-bit permutation invocations. Any rate-α hash function built from n-bit permutations can be broken, in the sense of finding preimages as well as collisions, in about N 1−α queries, where N =2 n. Our results provide guidance when trying to design or analyze a permutation-based hash function about the limits of what can possibly be done. 1

"... Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron ..."

Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefix-free MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefix-free padding) which are indifferentiable from random oracle model in the ideal cipher model. 1

...erations (left or right), and rotate left (circular shift left) operation. BMW uses a Double Pipe design to increase the resistance against generic multicollision attacks and length extension attacks =-=[12,13]-=-. In the double pipe design, the size of the inputs to the compression function are twice the message digest size. The inputs to the compression function are the message blocks M i of size 512 bits, a...

"... Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attack ..."

Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by undesirable properties of compression functions. We prove that the construction we give, which we call the “zipper hash, ” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with these weak ideal building blocks. The zipper hash function is relatively simple, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal (strong) compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. Keywords: Hash function, compression function, Merkle-Damg˚ard, ideal primitives, non-streamable hash functions, zipper hash.

... strings z, H(x||z) = H(y||z) is another collision. Merkle-Damg˚ard strengthening does not solve this problem completely, since the attack still works if |x| = |y| and z contains the correct padding. =-=[16, 13]-=- – Joux multicollision attack [10]. It is easier than expected to find multicollisions: that is, a set of many distinct inputs that all hash to the same value. For a generic hash function, finding a t...

Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux&apos;s multi-collision attack, Kelsey and Schneier&apos;s second-preimage attack, and Kelsey and Kohno&apos;s herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to &amp;quot;behave like &amp;quot; a certain ideal random primitive (e.g. a random function), according to some security notion.

...[18]. One possibility to overcome these issues is to rely on a compression function with input domain much larger than the size of the output of the construction (cf. for example the constructions in =-=[20]-=- and the double block-length construction of [12]), but this does not seem to be the best possible approach, both from a theoretical and from a practical viewpoint, as explained below. A proof, like t...

(on the leave to Bauhaus-University Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2n-bit hash functions, based on n-bit block ciphers with 2n-bit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1

...model the underlying primitive as a fixed-size random oracle or as an ideal block cipher, the constructions proposed in [8] behave like a random oracle for arbitrary input sizes. The same year, Lucks =-=[17]-=- proposed variations of the PIHF construction with some fall-back property to defend against compression function weaknesses. Lucks’ “failure-friendly” variations of PIHFs do not suffer from length-ex...

version 1.3 BLAKE is our proposal for SHA-3. BLAKE entirely relies on previously analyzed components: it uses the HAIFA iteration mode and builds its compression function on the ChaCha core function. BLAKE resists generic second-preimage attacks, length extension, and sidechannel attacks. Theoretical and empirical security guarantees are given, against structural and differential attacks. BLAKE hashes on a Core 2 Duo at 12 cycles/byte, and on a 8-bit PIC microcontroller at 400 cycles/byte. In hardware BLAKE can be implemented in less than 9900 gates, and reaches a throughput of 6 Gbps.